Sudden emergence of an email address


we use a self-hosted GitLab CE instance that gets regular updates, typically no later than three weeks after a security patch is released.

The server is available on the internet and there are a few public projects. Each of these projects has exactly one maintainer, which is a technical user that has the following properties (or had until a few days ago):

  • regular user (not an admin)
  • a dummy email with this ending:
  • a personal access token with api scope

The personal access token is used by a job of a private repo to push stuff to one of the public repos.
Recently, this push started to fail with a 401.

Then, we found out that this technical user has a second email ending with (TLD of Cameroon). We also found out from the logs that this email obviously was confirmed.

We also found out that the 401 occurs if the user is unconfirmed, but I am not sure when and whether the user was unconfirmed. We’re just trying to reconstruct this timeline from the backups. (not sure if this can be seen in the logs / the DB?)

Is there an explanation for this other than hacking?
And if we got hacked, is there a known vulnerability that might be involved here, maybe one that got closed recently?

Best regards